The StoneDrill trojan, a wiper malware similar to the Shamoon malware and reuses code from the “NewsBeef” espionage campaign, was first reported in March 2017 by Kaspersky. Its features include advanced evasion techniques, including injecting wiping modules into the computer’s memory associated with the user’s preferred browser, and a backdoor capability used for espionage purposes. Researchers are still unsure of how the trojan spreads. Kaspersky researchers identified four C2 panels that attackers used to steal data from a range of targets. The attackers have used StoneDrill to target a large European company in the petrochemical sector. Traditionally these actors have focused targeting against Saudi Arabia and those with interest or connections to the nation. The trojan contains support for Arabic-Yemen language and Persian language is embedded in the code, prompting researchers to believe that one or both languages are “false flags” intended to mislead investigators on the origin of the malware. StoneDrill and other destructive malware pose a substantial risk to organizations whose interests counter those of the attackers.
- March 2017: New Data-Wiping Malware, StoneDrill, Targets Europe. (ARS Technica)
- Kaspersky Lab provides technical analysis of StoneDrill and Shamoon in their report, available here.